Print Friendly and PDF

Network Policy Server

Network Policy Server is Microsofts implementation of Remote Authentication Dial-in User Service (RADIUS) Server and Proxy in Windows Server 2008, and replacement for Internet Authentication Service in Server 2003. NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following features:

RADIUS Server:

Performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network connection,and for connections to computers running Terminal Services Gateway. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests.To deploy NPS with TS Gateway,you must deploy TS Gateway on the local or a remote computer that is running Windows Server 2008.To deploy NPS with Routing and Remote Access configured as a VPN server,a member of a VPN site-to-site configuration, or a dial-up server, you must deploy Routing and Remote Access on the local or a remote computer that is running Windows Server 2008.


When you use NPS as a RADIUS proxy, you can configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests.

Network Access Protection (NAP) policy server:

When configured as a NAP policy server, NPS evaluates statements of health sent by NAP-capable client computers that want to connect to the network.It also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings including system health validators, health policy, and remediation server groups.Installation of the Network Policy and Access Services role installs the Network Policy Server component and the RADIUS role

802.3 Wired

You can configure 802.1X-based connection request policies for 802.3 wired client Ethernet network access. You can also configure 802.1X-compliant switches as RADIUS clients in NPS, and use NPS as a RADIUS server to process connection requests, authentication, authorization, and accounting for 802.3 Ethernet connections.

802.11 Wireless

You can configure 802.1X-based connection request policies for 802.11 wireless client network access. You can also configure wireless access points as RADIUS clients in NPS, and use NPS as a RADIUS server to process connection requests, perform authentication, authorization, and accounting for 802.11 wireless connections. You can integrate 802.11 wireless access with NAP when deploying a wireless 802.1X infrastructure so that wireless clients is verified against health policys before they are allowed to connect to the network.

You can also use NPS to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections.To deploy NPS with secure 802.1X wired or wireless access, you must enroll a server certificate to the server running NPS using Active Directory Certificate Services or a public certification authority. To deploy EAP-TLS or PEAP-TLS, you must also enroll computer or user certificates,that requires you to design and deploy a public key infrastructure using AD CS.

Installing a Network Policy Server

1. Open Server Manager

2. Click the Add Roles link in the Actions pane.

3. On the Welcome page, click Next

4. From the list of roles to install, select Network Policy and Access Services from the list, and click Next

5. Review the information provided on the Welcome page, and click Next

6. On the Select Role Services page, select which role services to install on the server, Click Next

7.On the Certificate Authority page, choose whether to install a local CA for issuing health certificates or to use an existing remote CA. If using a remote CA, make sure it is dedicated to issuing only health certificates. Click Next

8. Select whether to configure the HRA to allow only domain-authenticated users to get health certificates. Click Next

9. Select a server authentication certificate to be used to encrypt the network traffic, the certificate should be from an authority that is trusted by all of the clients, an internal enterprise domain CA or an external third-party CA. Click Next

10. On the Confirmation page, click Install.

11. Click Close when the wizard completes

Windows 2008 Editions and NPS

NPS provides different functionality depending on the edition of Windows Server 2008 and Windows 2008 R2 that you install.In Enterprise and Datacenter editions you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.

In Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query. Windows Web Server 2008 does not include NPS.

You can upgrade a server running Windows Server 2003 and IAS to Windows Server 2008 and NPS. During the upgrade process, the server configuration is preserved but, remote access policies change name to network policies.

New features in Windows Server 2008 R2

NPS Templates and Templates Management. NPS templates allow you to create NPS server configuration elements, such as RADIUS clients or shared secrets, that you can reuse on the local server running NPS and export for use on other NPS servers. Templates Management provides a node in the NPS console where you can create, modify, and save templates. In addition, you can export templates for use on other NPS servers, or import templates into Templates Management for use on the local computer.

RADIUS accounting improvements. Includes a new accounting configuration wizard that allows you to easily configure SQL Server logging, text file logging, or combinations of these two logging types.You can also use the wizard to automatically configure an NPS database on a local or remote SQL Server.

Full support for international, non-English character sets using UTF-8 encoding

NPS and Active Directory

When a server running NPS is a member of an Active Directory domain, NPS uses the directory service as its user account database and is part of a single sign-on solution.